KillSec: Hacktivists Turned RaaS Syndicate

KillSec, a Russia-linked RaaS group, targets healthcare and finance, leveraging OSINT and affiliates for extortion, showing a preference for Asian victims over Western ones.
KillSec: Hacktivists Turned RaaS Syndicate
Table of Contents
    Add a header to begin generating the table of contents

    Overview

    KillSec is a relatively new threat actor group, first appearing publicly in October 2023. Initially recruiting individuals skilled in network and web penetration and malware creation, they quickly transitioned beyond hacktivism to establish a Ransomware-as-a-Service (RaaS) operation and offer penetration testing and OSINT services. Their operations suggest origins in the Eastern Europe/Russia region, although they actively recruit internationally. While claiming to prohibit attacks on critical infrastructure, a significant portion (approximately 20%) of their alleged attacks target the healthcare sector, raising serious concerns. Their methods seem focused on extortion rather than sophisticated encryption-based ransomware.

    Known Aliases:

    Currently, KillSec is the only known alias for this threat actor group.

    Country of Origin:

    While not definitively confirmed, KillSec’s operations, language use (English and Russian), and thematic content strongly suggest origins in the Eastern Europe/Russia region.

    Most Recent Attacks of KillSec:

    KillSec has claimed responsibility for several high-profile attacks, including those targeting:

    • Ping An: Killsec targeted this Chinese conglomerate, potentially disrupting financial services and exposing sensitive data of millions of customers.
    • Yassir: The super app was compromised by Killsec, with reports suggesting data breaches affecting its ride-hailing, food delivery, and grocery services.
    • Belfius Bank: Sensitive data of approximately 300,000 customers was leaked online following a ransomware attack orchestrated by Killsec.
    • Wilson Tarquin: Specific details about the breach are unclear, but Killsec’s activities often involve ransomware and data exfiltration.
    • Trymata: Killsec added Trymata to its victim list, encrypting data and potentially demanding a ransom, though specifics remain undisclosed.
    • Skyward Specialty Insurance: This U.S.-based insurance company faced a ransomware attack by Killsec, with sensitive data likely compromised.

    MITRE ATT&CK Tactics and Techniques Used by KillSec:

    Based on the alleged activities, the following MITRE ATT&CK tactics and techniques are considered highly probable for KillSec:

    • Acquire Access:
      • T1650: Valid Accounts
      • T1078: Valid Accounts
      • T1102: Web Service
      • T1021: Remote Services
    • Execution:
      • T1059: Command and Scripting Interpreter
    • Discovery:
      • T1120: Peripheral Device Discovery
      • T1083: File and Directory Discovery
      • T1213: Data from Information Repositories
      • T1005: Data from Local System

    Methods of Attack/Infiltration Used by KillSec:

    KillSec’s recruitment efforts, focusing on network and web penetration and malware creation, suggest a multi-faceted approach. Their RaaS offering indicates a reliance on affiliate networks to distribute malware, though the specific strains used are not identified. Their OSINT service suggests information gathering plays a role in targeting victims. The lack of detail regarding encryption in their extortion attempts implies a focus on data exfiltration and direct threats rather than sophisticated ransomware deployment.

    KillSec Malware/Ransomware Strains:

    Their RaaS offering promotes an “advanced locker” written in C++, but no specific name or technical details are known. Further investigation is needed to identify the specific tools and techniques employed in their attacks.

    Additional Information:

    • Ransomware-as-a-Service (RaaS) Model: KillSec offers a RaaS program with a $250 entry fee, offering a 12% commission on successful ransom payments. The platform includes a user-friendly control panel accessible via Tor, featuring real-time statistics, a chat function, and a builder tool for customizing ransomware deployments. They are also teasing future additions such as a stresser tool (likely for DDoS attacks), phone call functionality (potentially for social engineering), and an advanced stealer.
    • Affiliate Program: KillSec’s affiliate program requires basic English or Russian language skills, indicating an international recruitment strategy. While they claim to prohibit attacks on critical infrastructure, their actions contradict this policy, with a significant percentage of their alleged attacks targeting the healthcare sector.
    • Target Selection: KillSec’s target selection differs from other Eastern European/Russian threat actors, with a disproportionate focus on organizations in India and other Asian countries, rather than primarily Western targets. Their motivations for targeting specific countries or industries remain unclear.
    • Operational Hours: KillSec’s Telegram activity peaks between 10 AM and 7 PM Moscow time, with the most significant spike between 6 PM and 7 PM. This does not necessarily indicate state affiliation.

    Related Posts